Logic repository service using encrypted configuration data

ABSTRACT

The following description is directed to a logic repository service. In one example, a method of a logic repository service can include receiving a first request to generate configuration data for configurable hardware using a specification for application logic of the configurable hardware. The method can include generating the configuration data for the configurable hardware. The configuration data can include data for implementing the application logic. The method can include encrypting the configuration data to generate encrypted configuration data. The method can include signing the encrypted configuration data using a private key. The method can include transmitting the signed encrypted configuration data in response to the request.

CROSS REFERENCE TO RELATED APPLICATION

This application is a Continuation of U.S. patent application Ser. No.16/287,973, filed Feb. 27, 2019 (now U.S. Pat. No. 10,778,653), which isa Continuation of U.S. patent application Ser. No. 15/280,677, filedSep. 29, 2016 (now U.S. Pat. No. 10,250,572), both applications titled“LOGIC REPOSITORY SERVICE USING ENCRYPTED CONFIGURATION DATA” whichapplications are incorporated by reference herein in their entirety.

BACKGROUND

Cloud computing is the use of computing resources (hardware andsoftware) which are available in a remote location and accessible over anetwork, such as the Internet. In some arrangements, users are able tobuy these computing resources (including storage and computing power) asa utility on demand. Cloud computing entrusts remote services with auser's data, software and computation. Use of virtual computingresources can provide a number of advantages including cost advantagesand/or the ability to adapt rapidly to changing computing resourceneeds.

The users of large computer systems may have diverse computingrequirements resulting from different use cases. A compute serviceprovider can include various different computer systems having differenttypes of components with varying levels of performance and/orfunctionality. Thus, a user can select a computer system that canpotentially be more efficient at executing a particular task. Forexample, the compute service provider can provide systems with varyingcombinations of processing performance, memory performance, storagecapacity or performance, and networking capacity or performance.However, some users may desire to use hardware that is proprietary orhighly specialized for executing their computing tasks. Thus, thecompute service provider can be challenged to provide specializedcomputing hardware for these users while keeping a healthy mix ofgeneralized resources so that the resources can be efficiently allocatedamong the different users.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a system diagram showing an example of a system including alogic repository service for managing configuration data.

FIG. 2 is a system diagram showing an example architecture of a logicrepository service.

FIG. 3 illustrates an example of ingestion and generation ofconfiguration data as can be performed by a logic repository service.

FIG. 4 is an example system diagram showing a plurality of virtualmachine instances running in a multi-tenant environment including alogic repository service.

FIG. 5 shows further details of the example system of FIG. 4 includingcomponents of a control plane and a data plane for configuring andinterfacing to a configurable hardware platform.

FIG. 6 is a flow diagram of an example method of managing configurationdata for configuring configurable hardware in a multi-tenantenvironment.

FIG. 7 is a flow diagram of another example method of managingconfiguration data for configuring configurable hardware in amulti-tenant environment.

FIG. 8 depicts a generalized example of a suitable computing environmentin which the described innovations may be implemented.

DETAILED DESCRIPTION

One solution for providing specialized computing resources within a setof reusable general computing resources is to provide a server computercomprising a configurable logic platform (such as by providing a servercomputer with an add-in card including a field-programmable gate array(FPGA)) as a choice among the general computing resources. Configurablelogic is hardware that can be programmed or configured to perform alogic function that is specified by configuration data that is appliedto the configurable logic. For example, a user of the computingresources can provide a specification (such as source code written in ahardware description language or other language) for configuring theconfigurable logic, the configurable logic can be configured accordingto the specification, and the configured logic can be used to perform atask for the user. However, allowing a user access to low-level hardwareof the computing facility can potentially introduce security and privacyissues within the computing facility. As a specific example, a faulty ormalicious design from one user could potentially cause a denial ofservice to other users if the configured logic caused one or more servercomputers within the computing facility to malfunction (e.g., crash,hang, or reboot) or be denied network services. As another specificexample, a faulty or malicious design from one user could potentiallycorrupt or read data from another user if the configured logic is ableto read and/or write memory of the other user's memory space. As anotherspecific example, a faulty or malicious design from a user couldpotentially cause the configurable logic platform to malfunction if theconfigured logic includes a circuit (such as a ring oscillator) thatcauses the device to exceed a power consumption or temperaturespecification of the configurable logic platform.

As described herein, a compute services facility can include a varietyof computing resources, where one type of the computing resources caninclude a server computer comprising a configurable logic platform. Theconfigurable logic platform can be programmed or configured by a user ofthe computer system so that hardware (e.g., the configurable logic) ofthe computing resource is customized by the user. For example, the usercan program the configurable logic so that it functions as a hardwareaccelerator that is tightly coupled to the server computer. For example,the hardware accelerator can be accessible via a local interconnect,such as Peripheral Component Interconnect Express (PCI-Express or PCIe),of the server computer. The user can execute an application on theserver computer and tasks of the application can be performed by thehardware accelerator using PCIe transactions. By tightly coupling thehardware accelerator to the server computer, the latency between theaccelerator and the server computer can be reduced which can potentiallyincrease the processing speed of the application.

The compute services provider can manage the computing resources usingsoftware services to manage the configuration and operation of theconfigurable hardware. As one example, the compute service provider canexecute a logic repository service for ingesting a hardware or logicdesign of a user and generating cryptographically signed and encryptedconfiguration data for configuring the configurable logic platform basedon the logic design of the user. Encrypted data is encoded such that theinformation in the data generally cannot be understood unless theencrypted data is first decrypted with a decryption key. The signed andencrypted configuration data can be downloaded in response to a requestto configure an instance of the configurable logic platform. Forexample, the request for the signed and encrypted configuration data canbe from the user that developed the logic design or from a user that hasacquired a license to use the logic design. The signed and encryptedconfiguration data can be decrypted by software and/or hardware providedby the compute services provider. Thus, logic designs can be created bythe compute services provider, a user, or a third-party separate fromthe user or the compute services provider. For example, a marketplace ofaccelerator intellectual property (IP) can be provided to the users ofthe compute services provider, and the users can potentially increasethe speed of their applications by selecting an accelerator from themarketplace. The IP can potentially be protected by encrypting theconfiguration data so that the user of the IP cannot easily view orreverse engineer the IP. The compute services provider can verify thatthe IP is authentic and unmodified by verifying that the signature isvalid.

The compute services provider can potentially increase the securityand/or availability of the computing resources by using the logicrepository service to validate that logic designs conform torequirements of the compute services provider. For example, the logicrepository service can check that a user-created logic design (customerlogic or application logic) is compatible with host logic provided bythe compute services provider. When the configurable logic platform isconfigured, both the host logic and the application logic can be loadedonto the configurable logic platform. The host logic can provide aframework or sandbox for the application logic to work within. Inparticular, the host logic can communicate with the application logicand constrain the functionality of the application logic to potentiallyincrease the security and/or availability of the computing resources.For example, the host logic can perform bridging functions between thelocal interconnect (e.g., the PCIe interconnect) and the applicationlogic so that the application logic cannot directly control thesignaling on the local interconnect. The host logic can be responsiblefor forming packets or bus transactions on the local interconnect andensuring that the protocol requirements are met. By controllingtransactions on the local interconnect, the host logic can potentiallyprevent malformed transactions or transactions to out-of-boundslocations.

FIG. 1 is a system diagram showing an example of a system 100 includinga logic repository service 110 for managing configuration data that canbe used to configure configurable resources within compute resources120. In particular, the logic repository service 110 can be used foringesting host and application logic into an infrastructure of a computeservices provider, generating configuration data based on the ingesteddesigns, maintaining a repository of the ingested designs and thegenerated configuration data, and providing configuration data for theconfigurable compute resources when the resources are deployed.

The logic repository service 110 can be a network-accessible service,such as a web service. Web services are commonly used in cloudcomputing. A web service is a software function provided at a networkaddress over the web or the cloud. Clients initiate web service requeststo servers and servers process the requests and return appropriateresponses. The client web service requests are typically initiatedusing, for example, an API request. For purposes of simplicity, webservice requests will be generally described below as API requests, butit is understood that other web service requests can be made. An APIrequest is a programmatic interface to a defined request-responsemessage system, typically expressed in JSON or XML, which is exposed viathe web—most commonly by means of an HTTP-based web server. Thus, incertain implementations, an API can be defined as a set of HypertextTransfer Protocol (HTTP) request interfaces, along with a definition ofthe structure of the messages used to invoke the API and the responsemessages, which can be in an Extensible Markup Language (XML) orJavaScript Object Notation (JSON) format. The API can specify a set offunctions or routines that perform an action, which includesaccomplishing a specific task or allowing interaction with a softwarecomponent. When a web service receives the API request from a clientdevice, the web service can generate a response to the request and sendthe response to the endpoint identified in the request. Additionally oralternatively, the web service can perform actions in response to theAPI request without generating a response to the endpoint identified inthe request.

The logic repository service 110 can receive an API request 130 togenerate configuration data for a configurable hardware platform, suchas the configurable hardware 142 of the server computer 140. Forexample, the API request 130 can be originated by a developer or partneruser of the compute services provider. The request 130 can includefields for specifying data and/or metadata about the logic design, theconfigurable hardware platform, user information, access privileges,production status, and various additional fields for describinginformation about the inputs, outputs, and users of the logic repositoryservice 110. As specific examples, the request can include a descriptionof the design, a production status (such as trial or production), anencrypted status of the input or output of the service, a reference to alocation for storing an input file (such as the hardware design sourcecode), a type of the input file, an instance type of the configurablehardware, and a reference to a location for storing an output file orreport. In particular, the request can include a reference to a hardwaredesign specifying application logic 132 for implementation on theconfigurable hardware platform. Specifically, a specification of theapplication logic 132 and/or of the host logic 134 can be a collectionof files, such as source code, a netlist generated by a logic synthesistool, and/or placed and routed logic gates generated by a place androute tool. The source code can include code written in a hardwaredescription language (HDL), a register transfer logic (RTL) language, ora high-level language such as Open Computing Language (OpenCL) or C.

The compute resources 120 can include many different types of hardwareand software categorized by instance type. In particular, an instancetype specifies at least a portion of the hardware and software of aresource. For example, hardware resources can include servers withcentral processing units (CPUs) of varying performance levels (e.g.,different clock speeds, architectures, cache sizes, and so forth),servers with and without co-processors (such as graphics processingunits (GPUs) and configurable logic), servers with varying capacity andperformance of memory and/or local storage, and servers with differentnetworking performance levels. Example software resources can includedifferent operating systems, application programs, and drivers. Oneexample instance type can comprise the server computer 140 including acentral processing unit (CPU) 144 in communication with the configurablehardware 142. The configurable hardware 142 can include programmablelogic such as an FPGA, a programmable logic array (PLA), a programmablearray logic (PAL), a generic array logic (GAL), or a complexprogrammable logic device (CPLD), for example. As specific examples, an“F1.small” instance type can include a first type of server computerwith one capacity unit of FPGA resources, an “F1.medium” instance typecan include the first type of server computer with two capacity units ofFPGA resources, an “F1.large” instance type can include the first typeof server computer with eight capacity units of FPGA resources, and an“F2.large” instance type can include a second type of server computerwith eight capacity units of FPGA resources.

The server computer 140 can include a cryptographic engine 146. Thecryptographic engine 146 can be used to authenticate a cryptographicdigital signature and/or to decrypt encrypted information (such asencrypted configuration data). Specifically, the cryptographic engine146 can decrypt the signed and encrypted configuration data 162 using adecryption key. As one example, the cryptographic engine 146 can includesoftware executing on the CPU 144. As another example, the cryptographicengine 146 can include hardware executing on the configurable hardware142. In particular, the configurable hardware 142 can include staticlogic that is loaded during a power-on or initialization sequence of theconfigurable hardware 142. Specifically, configuration datacorresponding to the static logic can be stored in a memory (such as aflash memory) that is used to program the configurable hardware 142 withthe static logic during the initialization sequence. The static logiccan include all or a portion of the cryptographic engine 146. As anotherexample, the cryptographic engine 146 can include hardware and softwareexecuting on the server computer 140.

The logic repository service 110 can generate configuration data 136 inresponse to receiving the API request 130. The generated configurationdata 136 can be based on the application logic 132 and the host logic134. Specifically, the generated configuration data 136 can includeinformation that can be used to program or configure the configurablehardware 142 so that it performs the functions specified by theapplication logic 132 and the host logic 134. As one example, thecompute services provider can generate the host logic 134 includinglogic for interfacing between the CPU 144 and the configurable hardware142. Specifically, the host logic 134 can include logic for masking orshielding the application logic 132 from communicating directly with theCPU 144 so that all CPU-application logic transactions pass through thehost logic 134. In this manner, the host logic 134 can potentiallyreduce security and availability risks that could be introduced by theapplication logic 132.

Generating the configuration data 136 can include performing checksand/or tests on the application logic 132, integrating the applicationlogic 132 into a host logic 134 wrapper, synthesizing the applicationlogic 132, and/or placing and routing the application logic 132.Checking the application logic 132 can include verifying the applicationlogic 132 complies with one or more criteria of the compute servicesprovider. For example, the application logic 132 can be analyzed todetermine whether interface signals and/or logic functions are presentfor interfacing to the host logic 134. In particular, the analysis caninclude analyzing source code and/or running the application logic 132against a suite of verification tests. The verification tests can beused to confirm that the application logic is compatible with the hostlogic. As another example, the application logic 132 can be analyzed todetermine whether the application logic 132 fits within a designatedregion of the specified instance type. As another example, theapplication logic 132 can be analyzed to determine whether theapplication logic 132 includes any prohibited logic functions, such asring oscillators or other potentially harmful circuits. As anotherexample, the application logic 132 can be analyzed to determine whetherthe application logic 132 has any naming conflicts with the host logic134 or any extraneous inputs or outputs that do not interface with thehost logic 134. As another example, the application logic 132 can beanalyzed to determine whether the application logic 132 attempts tointerface to restricted inputs, outputs, or hard macros of theconfigurable hardware 142. If the application logic 132 passes thechecks of the logic repository service 110, then the configuration data136 can be generated. If any of the checks or tests fail, the generationof the configuration data 136 can be aborted.

Generating the configuration data 136 can include compiling and/ortranslating source code of the application logic 132 and the host logic134 into data that can be used to program or configure the configurablehardware 142. For example, the logic repository service 110 canintegrate the application logic 132 into a host logic 134 wrapper.Specifically, the application logic 132 can be instantiated in a systemdesign that includes the application logic 132 and the host logic 134.The integrated system design can be synthesized, using a logic synthesisprogram, to create a netlist for the system design. The netlist can beplaced and routed, using a place and route program, for the instancetype specified for the system design. The placed and routed design canbe converted to configuration data 136 which can be used to program theconfigurable hardware 142. For example, the configuration data 136 canbe directly output from the place and route program.

As one example, the generated configuration data 136 can include acomplete or partial bitstream for configuring all or a portion of theconfigurable logic of an FPGA. An FPGA can include configurable logicand non-configurable logic. The configurable logic can includeprogrammable logic blocks comprising combinational logic and/or look-uptables (LUTs) and sequential logic elements (such as flip-flops and/orlatches), programmable routing and clocking resources, programmabledistributed and block random access memories (RAMs), digital signalprocessing (DSP) bitslices, and programmable input/output pins. Thebitstream can be loaded into on-chip memories of the configurable logicusing configuration logic (e.g., a configuration access port). Thevalues loaded within the on-chip memories can be used to control theconfigurable logic so that the configurable logic performs the logicfunctions that are specified by the bitstream. Additionally, theconfigurable logic can be divided into different regions which can beconfigured independently of one another. As one example, a fullbitstream can be used to configure the configurable logic across all ofthe regions and a partial bitstream can be used to configure only aportion of the configurable logic regions. The non-configurable logiccan include hard macros that perform a specific function within theFPGA, such as input/output blocks (e.g., serializer and deserializer(SERDES) blocks and gigabit transceivers), analog-to-digital converters,memory control blocks, test access ports, and configuration logic forloading the configuration data onto the configurable logic.

The logic repository service 110 can store the generated configurationdata 136 in a logic repository database 150. The logic repositorydatabase 150 can be stored on removable or non-removable media,including magnetic disks, direct-attached storage, network-attachedstorage (NAS), storage area networks (SAN), redundant arrays ofindependent disks (RAID), magnetic tapes or cassettes, CD-ROMs, DVDs, orany other medium which can be used to store information in anon-transitory way and which can be accessed by the logic repositoryservice 110. Additionally, the logic repository service 110 can be usedto store input files (such as the specifications for the applicationlogic 132 and the host logic 134) and metadata about the logic designsand/or the users of the logic repository service 110. The generatedconfiguration data 136 can be indexed by one or more properties such asa user identifier, an instance type or types, a marketplace identifier,a machine image identifier, and a configurable hardware identifier, forexample.

The logic repository service 110 can store the generated configurationdata 136 in the logic repository database 150 in an encrypted or anunencrypted format. Additionally, the logic repository service 110 cantransmit the generated configuration data 136 in an encrypted or anunencrypted format to one or more recipients. Thus, the configurationdata 136 can be encrypted before it is stored in the logic repositorydatabase 150 and/or after the configuration data 136 is retrieved fromthe logic repository database 150. As one example, the logic repositorydatabase 150 can return unencrypted configuration data in response to arequest from the compute services provider development team. Receivingunencrypted configuration data may be beneficial when developing hostlogic or logic for all or portions of the cryptographic engine 146 thatare implemented in configurable hardware. As another example, the logicrepository database 150 can return encrypted configuration data inresponse to a request from a developer of application logic or anend-user of the computer resources 120. By encrypting the configurationdata delivered to the developer of application logic or the end-user ofthe computer resources 120, the IP associated with the host logic and/orthird party application logic can potentially be protected. As anotherexample, the logic repository database 150 can return signed andencrypted configuration data 162. In particular, the logic repositoryservice 110 can generate a digital signature based on the encrypted orunencrypted configuration data and a private key. The digital signaturecan be used to verify that the configuration data is authentic (e.g.,generated by the logic repository service 110) and unmodified.

Encryption is a method for potentially protecting confidential data.Encryption can include using a cryptographic algorithm to encode datasuch that the information in the data generally cannot be understoodunless the encrypted data is first decrypted with a decryption key. Forexample, one or more keys can be used to encrypt the configuration datausing a cryptographic algorithm. A “key” is a number that can vary inlength depending on the cryptographic algorithm. Exemplary cryptographicalgorithms can be symmetric or asymmetric. For a symmetric algorithm,the same key can be used for encryption and decryption of the data. Inother words, a symmetric key can function as both an encryption key anda decryption key for the data. It is desirable to safeguard a symmetrickey because anyone having access to the key can potentially decrypt datathat has been encrypted using the key. Symmetric algorithms can be basedon stream ciphers or block ciphers. Examples of symmetric cryptographicalgorithms include Advanced Encryption Standard (AES), Data EncryptionStandard (DES), triple-DES, Twofish, Serpent, Blowfish, and CAST-128.For an asymmetric algorithm, a public key can be used for encryption anda private key can be used for decryption of data. The public key and theprivate key form a key pair, where the public key and the private keyare mathematically related. The public encryption key can be freelyaccessible since it can only be used to encrypt data, but it isdesirable to safeguard the private decryption key since it can be usedto potentially decrypt the data. Examples of asymmetric cryptographicalgorithms can include the RSA algorithm or an algorithm based onelliptic curve cryptography.

The logic repository service 110 can receive an API request 160 toretrieve configuration data and signed and encrypted configuration data162 can be returned in response to the request 160. For example, therequest 160 can be generated when a developer or user of the computeresources 120 creates a template for a volume of a new software instancetype that can execute on a hardware instance type including theconfigurable hardware 142. In particular, the volume can include storagespace containing a file system for storing the signed and encryptedconfiguration data 162 and program code for an operating system,application program(s), device drivers, and so forth. When the userlaunches a new software instance on a particular hardware resource, thesoftware instance is provided with access to a volume having the dataspecified by the template for the volume. Thus, the software instancecan access an operating system, application programs, the signed andencrypted configuration data 162, and any other data or program storedon the template volume. As another example, the request 160 can begenerated when a user of the compute resources 120 launches or deploys anew instance (e.g., an “F1.small” instance) within the compute resources120. As another example, the request 160 can be generated in response toa request from an application executing on an operating instance. Therequest 160 can include a reference to the source and/or destinationinstance, a reference to the configuration data to download (e.g., aninstance type, a marketplace identifier, a machine image identifier, ora configurable hardware identifier), a user identifier, an authorizationtoken, and/or other information for identifying the configuration datato download and/or authorizing access to the configuration data. If theuser requesting the configuration data is authorized to access theconfiguration data, the configuration data can be retrieved from thelogic repository database 150, and signed and encrypted configurationdata 162 (e.g. a full or partial bitstream) can be downloaded to therequesting instance (e.g., server computer 140). The signed andencrypted configuration data 162 can be used to configure theconfigurable logic of the destination instance. Specifically, thecryptographic engine 146 can verify a signature of the signed andencrypted configuration data 162 and if the signature is verified asauthentic, the cryptographic engine 146 can decrypt the signed andencrypted configuration data 162 so that the configurable hardware 142can be configured.

The logic repository service 110 can verify that the signed andencrypted configuration data 162 can be downloaded to the requestinginstance. Validation can occur at multiple different points by the logicrepository service 110. For example, validation can include verifyingthat the application logic 132 is compatible with the host logic 134. Inparticular, a regression suite of tests can be executed on a simulatorto verify that the host logic 134 performs as expected after theapplication logic 132 is added to the design. Additionally oralternatively, it can be verified that the application logic 132 isspecified to reside only in reconfigurable regions that are separatefrom reconfigurable regions of the host logic 134. As another example,validation can include verifying that the signed and encryptedconfiguration data 162 is compatible with the instance type to downloadto. As another example, validation can include verifying that therequestor is authorized to access the signed and encrypted configurationdata 162. If any of the validation checks fail, the logic repositoryservice 110 can deny the request to retrieve the signed and encryptedconfiguration data 162. Thus, the logic repository service 110 canpotentially safeguard the security and the availability of the computingresources 120 while enabling a user to customize hardware of thecomputing resources 120.

As an alternative to having the signed and encrypted configuration data162 be transmitted from the logic repository service 110 to an instanceof the compute resources 120, the signed and encrypted configurationdata 162 can be loaded onto the instance of the compute resources 120 inother ways. As a specific example, a developer can request a copy of thesigned and encrypted configuration data 162 from the logic repositoryservice 110. The developer can manage distribution of the signed andencrypted configuration data 162, such as by providing it to a customerof the compute resources 120. Thus, the developer can enable or causethe signed and encrypted configuration data 162 to be loaded onto theserver computer 140 without using the logic repository service 110 toperform the loading. By signing and encrypting the configuration data,the developer and the compute service provider can both protect the IPof the developer and verify that the design corresponding to theconfiguration data is unmodified from when it was produced by the logicrepository service 110. Thus, even though the signed and encryptedconfiguration data 162 has left the control of the logic repositoryservice 110, the integrity of the configuration data can potentially beverified and malicious and/or faulty designs can potentially be excludedfrom being loaded on the configurable hardware 142 of the servercomputer 140.

FIG. 2 is a system diagram showing an example architecture 200 of alogic repository service 205. For example, the logic repository service205 can include software executing on a server computer managed by acompute services provider. The logic repository service 205 can beaccessed through one or more web APIs.

The logic repository service 205 can include a provider interface 210for servicing API requests by the compute service provider. The providerinterface 210 can be used to authenticate that requests are from agentsof the compute service provider, such as by authenticating the identityof the requestor using credentials provided in the request. The providerinterface 210 can provide host logic ingestion functionality 215. Inparticular, the provider interface 210 can receive a request to upload ahost logic design to the logic repository service 205 and the requestcan be processed by the host logic ingestion functionality 215. Asdescribed previously, the host logic can include logic for sandboxingthe application logic to maintain the security and availability of thecomputing resources. Additionally, the host logic can be further dividedinto static logic and reconfigurable logic. The static logic can beconfigured during an initialization sequence (e.g., at boot time),whereas the reconfigurable logic can be configured at different timesduring the operation of the configurable logic. As one example, the PCIExpress interface can specify that a PCI endpoint be booted andenumerated within about one hundred milliseconds after a reset signal isdeasserted. The host logic can be divided into static logic that can beloaded within the allotted time window, and reconfigurable logic thatcan be loaded after the time window has passed. The static logic can beused as an interface between different reconfigurable regions. The hostlogic design can be specified using HDL or register transfer logic (RTL)source code, such as Verilog or VHDL. The RTL can be encrypted ornon-encrypted. The host logic ingestion module 215 can be used toperform checks on the received host logic design, decrypt the host logicdesign, and/or provide versioning information for the host logic design.Additionally, the request can include information for associating thehost logic design with one or more instance types. For example, somehost logic designs may work only with one subset of instance types andother host logic designs may work only with a different subset ofinstance types.

The logic repository service 205 can include a customer-developerinterface 220 for servicing API requests from the users of the logicrepository service 205. The customer-developer interface 220 can be usedto authenticate that requests are from users of the compute serviceprovider, such as by authenticating the identity of the requestor usingcredentials provided in the request. For example, each of the users canbe provided with an account that can be used to identify the user foraccess management, billing, and usage tracking. The users can be limitedto viewing and modifying only the logic designs to which they areauthorized to access. For example, the users can be prevented fromuploading and/or modifying host logic.

The customer-developer interface 220 can include application logicingestion functionality 225 for receiving and/or processing anapplication logic design. The application logic design can be specifiedusing source code (e.g., HDL or RTL code), a netlist including a list ofconfigurable logic blocks and the connections between the configurablelogic blocks, and/or configuration data. For example, the configurationdata can include a full or partial bitstream which has been pre-compiledbefore being uploaded to the logic repository service. The applicationlogic will be combined with host logic (such as by a configuration datageneration block 230) to create the logic that can be loaded onto aconfigurable hardware platform. Processing the application logic designcan include translating and/or compiling source code to a lower levelformat (e.g., compiling OpenCL to generate behavioral or structuralVerilog), verifying that required logic and/or signals are present (suchas interface signals to the host logic), verifying that known restrictedcircuits are not present (such as ring oscillators), and other varioustasks in preparation for generating configuration data.

The customer-developer interface 220 can accept various types ofrequests from a user. As one example, a user can request to create aconfigurable hardware image (CHI). A CHI can provide information forconfiguring an instance of configurable hardware within a computingenvironment. For example, a CHI can include one or more compatibleinstance types, the configuration data for configuring the configurablehardware, access permissions for controlling access to the CHI, and anyother information associated with configuring the configurable hardware.The request to create the CHI can include fields for a designdescription or title, a production status of the design, whether or notthe design is encrypted, a reference to source code for the design, atype of source code indicator, an instance type or types that arecompatible with the configuration data, and a reference to a location tostore reporting information.

As another example, a second request type can be used to retrieveinformation about CHIs that are associated with the user. In particular,the request can include fields such as a CHI identifier, a machine image(MI) identifier, a product code, an instance type, and an instanceidentifier. In response to the request, the customer-developer interface220 can present information about the CHIs that are associated with theuser that match one or more of the fields in the request. For example,all CHIs matching the search fields can be listed along with a statusassociated with each CHI. The CHI can be reported to be in a trial orproduction state, or in a complete or in-progress state. For example, itcan take multiple hours to create a CHI from source code and so thisrequest can be used to check a status of synthesis or implementation ofthe CHI.

As another example, a third type of request can be to associate a CHI toan MI. An MI can provide information for launching an instance ofcomputing resources within a computing environment. In one embodiment,the instance is a virtual machine executing within a hypervisorexecuting on a server computer within the computing environment. An MIcan include a type of the instance (such as by specifying anarchitecture, a CPU capability, a co-processor, a peripheral, and/or aconfigurable hardware design), a template for a root volume (e.g.,including an operating system, device drivers, and/or applications) forthe instance, and access permissions (e.g., a list of accountsauthorized to use the MI) for controlling the accessibility of the MI,and a block device mapping for specifying volumes to attach to theinstance when it is launched. By associating an MI to a CHI, theconfigurable data associated with the CHI can be downloaded toconfigurable logic of a server computer when a virtual machine based onthe MI is launched.

As another example, a fourth type of request can be to publish a CHI toa marketplace. For example, a product code can be associated with theCHI, which can enable the CHI to be listed in a marketplace. Themarketplace can be viewable by users of the compute services provider,and can provide a list of hardware accelerator IP that has beendeveloped by one user and is available for license or purchase byanother user. When a user buys or licenses a CHI published in themarketplace, the account information of the user can be added to thelist of users that can access the CHI.

The configuration data generation block 230 can be used to createconfiguration data. For example, the configuration data can be based onan application logic design and a host logic design. As another example,the configuration data can be based on only an application logic designor only a host logic design. In particular, the configuration datageneration block 230 can generate static logic based only on the hostlogic design. Additionally, the configuration data generation block 230can generate reconfigurable logic for one or more reconfigurable regionsof the configurable logic. For example, the configuration datageneration block 230 can be used to generate host reconfigurable logicfor a region reserved for host functions. As another example, theconfiguration data generation block 230 can be used to generateapplication reconfigurable logic for a region reserved primarily forapplication functions.

Inputs to the configuration data generation block 230 can be anapplication logic design (such as from the application logic ingestion225), a host logic design (such as from the host logic ingestion 215),and/or constraints describing various implementation details (such asclock frequencies, partitioning information, placement information, atarget technology, and so forth). The logic designs can include sourcecode described using an HDL, a netlist, and/or configuration data. Theconfiguration data generation block 230 can combine an application and ahost design into one design to create the configuration data. Asdescribed in more detail with reference to FIG. 3, the configurationdata generation block 230 can include a logic synthesis tool and a placeand route tool. Using these tools, the configuration data generationblock 230 can create configuration data for loading on a configurablehardware platform.

The output from the configuration data generation block 230 can bemanaged using the logic library management block 240. For example, thelogic library management block 240 can associate user information withthe configuration data and store the information at the logic repositorydatabase 250. The logic library management block 240 can be used tomaintain the ownership and versioning of various logic components andsource input files. The logic library management block 240 can include acryptography engine 245 for performing encryption and decryption of thedesign source code files and/or the CHI files. As one example, the filescan be stored encrypted at the logic repository database 250. As anotherexample, the files can be stored unencrypted at the logic repositorydatabase 250 and the files can encrypted prior to being transmitted fromthe logic repository service 205. As another example, the files can beencrypted using a first key when stored at the logic repository database250, and the files can be decrypted and re-encrypted using a second keywhen being transmitted from the logic repository service 205. Byencrypting the files, the intellectual property of different users canbe safeguarded.

The cryptography engine 245 can be used for encrypting the generatedconfiguration data. The generated configuration data can be encryptedusing a symmetric and/or asymmetric cryptography algorithm. A symmetriccryptography algorithm can use a single key for both an encryption keyand a decryption key for the data. An asymmetric cryptography algorithmcan use a public key for encryption and a private key for decryption ofthe data. The cryptography engine 245 can use a single key or set ofkeys for encryption and decryption or the cryptography engine 245 canuse different keys for encryption and decryption for each respectivecustomer or developer of the compute services provider. By usingdifferent keys for each respective customer or developer, the IPprotection can potentially be enhanced since multiple keys must bediscovered to decrypt all of the hardware design data. The cryptographyengine 245 can be used for decrypting the generated configuration data.For example, unencrypted configuration data can be made available to thecompute services provider or to the developer of the configuration datausing the provider interface 210 or the customer/developer interface220, respectively.

The cryptography engine 245 can be used for cryptographically signingthe design source code files and/or the CHI files. Signing a file caninclude applying a cryptographic hash function to the file to create ahash value or digest. As one example, the cryptographic hash functioncan include a block cipher, such as the advanced encryption standard(AES). The cryptographic hash function can be used to map a file ofarbitrary size to a hash value that can be represented by a fixed numberof bits. The digest can be encrypted using a private key of the logicrepository service 205 to create at least a portion of the signature forthe file. The signature can also include additional information such asa public key for decrypting the encrypted digest and a name or referenceto the cryptographic hash function used to create the digest for thefile. The computational requirements to produce the signature canpotentially be reduced by encrypting only the digest rather than theentire file using the private key. The signature can be appended to thefile before or after encryption of the file. Any modifications to theencrypted and signed file can potentially be detected by authenticatingthe signature of the file. For example, after the encrypted and signedfile is received, the signature can be authenticated. Authentication caninclude decrypting the signature with the public key that is paired withthe private key to create a received digest. The received digest can becompared to a digest generated from the decrypted file using the samecryptographic hash function that was used to create the original digest.If the received digest matches the digest separately generated by thereceiver, then the signature is authentic and the file is unmodified.

The computing services interface 260 can be used as an interface betweenthe logic repository service 205 and computing resources. For example,when an instance is created on the computing resources, an API requestcan be sent to the computing services interface 260 and configurationdata can be downloaded to the requesting resource. A first type ofrequest can be in response to initiating or deploying a new instance ona server computer of the compute resources. For example, the request canbe for static logic to load and boot before the configurable logic isenumerated on interconnect of the server computer. In particular, therequest can be serviced by the static logic download block 265, whichcan retrieve configuration data from the logic repository database 250via the logic library management block 240. The static logic downloadcomponent 265 can be used to download static logic to the configurablehardware platform on the requesting instance. Additionally, a requestcan be for reconfigurable logic, and the reconfigurable logic downloadcomponent 264 can be used to service the request. Specifically, thereconfigurable logic download can retrieve the configuration datathrough the logic repository database 250 via the logic librarymanagement block 240. The request can be for reconfigurable host logicor for reconfigurable application logic. The request for reconfigurablelogic can be in response to initiating or deploying a new instance on aserver computer of the compute resources. Alternatively, the request forreconfigurable logic can be in response to a client application runningon the server computer requesting the reconfigurable logic. For example,an application program running on the server computer can request tohave different hardware accelerators downloaded to the configurablehardware platform at different points of the program. The computingservices interface 260 can authenticate requests so that only users withaccess privileges to retrieve the configurable logic data can downloadthe configuration data. For example, the request can include anauthorization token, and if the authorization token matches an expectedauthorization token, the request can be serviced. Otherwise, the requestcan be denied.

The computing services interface 260 can also be used to receiveinformation from the computing resources. For example, the computingservices interface 260 can receive status updates from the computingresources when instances are created, reconfigured, or used on thecomputing resources. As a specific example, the computing servicesinterface 260 can be notified whether configuration data wassuccessfully deployed on a computing resource. For example, theconfiguration data may fail to be deployed due to a hardware malfunctionor for other reasons. The computing services interface 260, inconjunction with the logic library management block 240, can maintainusage data, failure reports, and/or statistics about the differentdesigns stored in the logic repository database 250. The statistics canbe provided to the compute services provider or the user upon demandwhen a request is received at the provider interface 210 or thecustomer/developer interface 220, for example.

FIG. 3 illustrates an example flow 300 of ingesting logic designs andproducing configuration data as can be performed by a logic repositoryservice. During ingestion 310, an application logic design and/or a hostlogic design can be received by a logic repository service. The logicdesign can be encrypted, such as by using the IEEE 1735-2014 encryptionstandard. The logic design can be decrypted during ingestion 310 orduring a later step of the flow 300.

As one example, source code for the application logic and the host logiccan be received during the ingestion 310 and the application logic andthe host logic can be combined into a single design to produce sourcecode for logic synthesis 320. The logic synthesis 320 can be used totransform a specification written in behavioral and/or structural RTLinto a netlist based on a target technology. For example, the logicsynthesis 320 can target different configurable logic technologies, suchas FPGAs having different architectures, manufacturing processes,capacities, and/or manufacturers. The netlist can include a number ofconfigurable logic blocks, non-configurable blocks (e.g., hard macros),and the connections between the different blocks. The netlist can be alogical netlist where blocks of the netlist are enumerated but unplacedwithin the target technology. The netlist can be used as input to placeand route 330. The place and route 330 can take the instances of theconfigurable blocks from the netlist and the routing information, andmap the blocks to a physical device. The place-and-routed design caninclude a physical mapping for each of the logical components of thenetlist. Additionally or alternatively, the place and route 330 can betiming driven so that the netlist is modified based on timingconstraints of the design and the physical constraints of the physicaldevice. The output of the place and route 330 can be configuration data,such as a bitstream image. The configuration data can be partitioned ordivided into different components. For example, the configuration datacan include data associated with static host logic, reconfigurable hostlogic, and/or reconfigurable application logic. The different componentscan be overlapping or non-overlapping. For example, the static hostlogic can be routed through regions that are used by the reconfigurableapplication logic. Thus, a partial bitstream for the reconfigurableapplication logic can also include portions of the static host logic.

As another example, a netlist for the application logic and/or the hostlogic can be received during the ingestion 310. As a specific example, anetlist can be received for the application logic and source code can bereceived for the host logic. In this case, the host logic can besynthesized with the logic synthesis 320 to generate a netlist for thehost logic, and the netlists for the host and application logic can becombined into a single design to produce a netlist for the place androute 330. As another example, configuration data for the applicationlogic and/or the host logic can be received during the ingestion 310.For example, a partial bitstream for the application logic design can bereceived, or a full bitstream for the host and application logic designcan be received.

The logic repository service can also include library management andvalidation 340 functionality. For example, each step of the flow 300 cangenerate intermediate data and/or files that can be stored in adatabase. In particular, the database can be indexed by a developer'saccount identifier, so that the developer can access source code,reports, and configuration data associated with the developer. As oneexample, source code for application logic can be associated with adeveloper's account identifier during ingestion 310. The source code canbe associated with a version identifier that is provided by thedeveloper or generated during ingestion 310. Multiple versions of sourcecode can be maintained for an account and stored within the database.Each version of the application logic can be associated with a versionof the host logic. Each version of configuration data can correspond toa particular version of the application logic and a particular versionof the host logic. A bitstream or CHI identifier can be created whenconfiguration data is generated, and the source code, netlist, andreports can be labelled with the CHI identifier. The reports can begenerated at the various steps of the flow 300 to provide informationabout the logic designs. For example, one or more synthesis reports canbe generated by the logic synthesis 320 and one or more reports can begenerated by the place and routing 330. As one example, animplementation report can be generated to provide information about autilization of the logic designs. In particular, a percentage of thehardware resources used by the design can be provided so that the designcan be implemented on appropriate instance types.

As another example, a timing report can provide a static timing analysisshowing whether the design meets timing specifications of theconfigurable hardware. The logic synthesis 320 and the place and route330 can involve random, non-deterministic steps that vary with each runof the tools so that each run of the logic synthesis 320 and the placeand route 330 may provide different results. Thus, if a developer has adesign that does not meet timing (as indicated by the timing report),the developer may desire to rerun the logic synthesis 320 and/or theplace and route 330. In this manner, the developer can iterate on theirdesign by executing multiple synthesis and routing runs for the samedesign. When one of the synthesis and place and route runs yieldsresults that meet the timing specifications of the configurable hardwarelogic, the developer can mark that run as a production run. For example,the developer can change the status of the CHI generated from that runto production and can associate a bitstream identifier with thegenerated configuration data.

The library management and validation 340 functionality can be used tovalidate the user designs for the configurable logic at various pointsduring the development and deployment steps. As one example, thevalidation 340 can include performing simulations to verify whether theapplication logic is compatible with the host logic so that the hostlogic can constrain the functionality of the application logic. Thevalidation 340 can include comparing a netlist of the application logicand confirming that the application logic meets capacity and arearestraints of the configurable hardware platform. For example, theapplication logic can be restricted to use only logic within one or morereconfigurable regions. If the application logic is outside of thoseregions, then the application logic can be rejected. Additionally, theapplication logic can be ingested as a bitstream, and the bitstream canbe validated by the validation 340. The validation of a bitstream caninclude comparing a portion of the ingested bitstream data correspondingto the host logic to a baseline version of the host logic to confirmthat the host logic is not corrupted. The output from the validationblock 340 can be validated configuration data.

The logic repository service can include signing and encryption 350functionality. For example, one or more of the different files used asinputs or produced during the flow 300 can be encrypted and/or signedbefore or after being stored in a database. In particular, the validatedconfiguration data can be signed and encrypted before it is transmittedto an end-user (such as when launching an instance) or a developer. Asone example, the validated configuration data can be used as an input toa cryptographic hash function to generate a digest. The digest can beencoded or encrypted using an asymmetric cryptographic function and afirst private key that is paired with a first public key. A signaturecan be generated that includes the encrypted digest, the first publickey for decrypting the encrypted digest, and a name or code of thecryptographic hash function used to generate a digest. The signature canbe appended to the validated configuration data to create an unencryptedfile which can be encrypted with a second cryptographic function and asecond key. The second cryptographic function can be a symmetric or anasymmetric cryptographic function.

FIG. 4 is a computing system diagram of a network-based compute serviceprovider 400 that illustrates one environment in which embodimentsdescribed herein can be used. By way of background, the compute serviceprovider 400 (i.e., the cloud provider) is capable of delivery ofcomputing and storage capacity as a service to a community of endrecipients. In an example embodiment, the compute service provider canbe established for an organization by or on behalf of the organization.That is, the compute service provider 400 may offer a “private cloudenvironment.” In another embodiment, the compute service provider 400supports a multi-tenant environment, wherein a plurality of customersoperate independently (i.e., a public cloud environment). Generallyspeaking, the compute service provider 400 can provide the followingmodels: Infrastructure as a Service (“IaaS”), Platform as a Service(“PaaS”), and/or Software as a Service (“SaaS”). Other models can beprovided. For the IaaS model, the compute service provider 400 can offercomputers as physical or virtual machines and other resources. Thevirtual machines can be run as guests by a hypervisor, as describedfurther below. The PaaS model delivers a computing platform that caninclude an operating system, programming language execution environment,database, and web server. Application developers can develop and runtheir software solutions on the compute service provider platformwithout the cost of buying and managing the underlying hardware andsoftware. Additionally, application developers can develop and run theirhardware solutions on configurable hardware of the compute serviceprovider platform. The SaaS model allows installation and operation ofapplication software in the compute service provider. In someembodiments, end users access the compute service provider 400 usingnetworked client devices, such as desktop computers, laptops, tablets,smartphones, etc. running web browsers or other lightweight clientapplications. Those skilled in the art will recognize that the computeservice provider 400 can be described as a “cloud” environment.

The particular illustrated compute service provider 400 includes aplurality of server computers 402A-402C. While only three servercomputers are shown, any number can be used, and large centers caninclude thousands of server computers. The server computers 402A-402Ccan provide computing resources for executing software instances406A-406C. In one embodiment, the software instances 406A-406C arevirtual machines. As known in the art, a virtual machine is an instanceof a software implementation of a machine (i.e. a computer) thatexecutes applications like a physical machine. In the example of avirtual machine, each of the servers 402A-402C can be configured toexecute a hypervisor 408 or another type of program configured to enablethe execution of multiple software instances 406 on a single server.Additionally, each of the software instances 406 can be configured toexecute one or more applications.

It should be appreciated that although the embodiments disclosed hereinare described primarily in the context of virtual machines, other typesof instances can be utilized with the concepts and technologiesdisclosed herein. For instance, the technologies disclosed herein can beutilized with storage resources, data communications resources, and withother types of computing resources. The embodiments disclosed hereinmight also execute all or a portion of an application directly on acomputer system without utilizing virtual machine instances.

The server computers 402A-402C can include a heterogeneous collection ofdifferent hardware resources or instance types. Some of the hardwareinstance types can include configurable hardware that is at leastpartially configurable by a user of the compute service provider 400.One example of an instance type can include the server computer 402Awhich is in communication with configurable hardware 404A. Specifically,the server computer 402A and the configurable hardware 404A cancommunicate over a local interconnect such as PCIe. Another example ofan instance type can include the server computer 402B and configurablehardware 404B. For example, the configurable logic 404B can beintegrated within a multi-chip module or on the same die as a CPU of theserver computer 402B. Yet another example of an instance type caninclude the server computer 402C without any configurable hardware.Thus, hardware instance types with and without configurable logic can bepresent within the resources of the compute service provider 400.

One or more server computers 420 can be reserved for executing softwarecomponents for managing the operation of the server computers 402 andthe software instances 406. For example, the server computer 420 canexecute a management component 422. A customer can access the managementcomponent 422 to configure various aspects of the operation of thesoftware instances 406 purchased by the customer. For example, thecustomer can purchase, rent or lease instances and make changes to theconfiguration of the software instances. The configuration informationfor each of the software instances can be stored as a machine image (MI)442 on the network-attached storage 440. Specifically, the MI 442describes the information used to launch a virtual machine (VM)instance. The MI can include a template for a root volume of theinstance (e.g., an OS and applications), launch permissions forcontrolling which customer accounts can use the MI, and a block devicemapping which specifies volumes to attach to the instance when theinstance is launched. The MI can also include a reference to aconfigurable hardware image (CHI) 442 which is to be loaded onconfigurable hardware 404 when the instance is launched. The CHIincludes configuration data for programming or configuring at least aportion of the configurable hardware 404. The CHI can be encrypted andsigned.

The customer can also specify settings regarding how the purchasedinstances are to be scaled in response to demand. The managementcomponent can further include a policy document to implement customerpolicies. An auto scaling component 424 can scale the instances 406based upon rules defined by the customer. In one embodiment, the autoscaling component 424 allows a customer to specify scale-up rules foruse in determining when new instances should be instantiated andscale-down rules for use in determining when existing instances shouldbe terminated. The auto scaling component 424 can consist of a number ofsubcomponents executing on different server computers 402 or othercomputing devices. The auto scaling component 424 can monitor availablecomputing resources over an internal management network and modifyresources available based on need.

A deployment component 426 can be used to assist customers in thedeployment of new instances 406 of computing resources. The deploymentcomponent can have access to account information associated with theinstances, such as who is the owner of the account, credit cardinformation, country of the owner, etc. The deployment component 426 canreceive a configuration from a customer that includes data describinghow new instances 406 should be configured. For example, theconfiguration can specify one or more applications to be installed innew instances 406, provide scripts and/or other types of code to beexecuted for configuring new instances 406, provide cache logicspecifying how an application cache should be prepared, and other typesof information. The deployment component 426 can utilize thecustomer-provided configuration and cache logic to configure, prime, andlaunch new instances 406. The configuration, cache logic, and otherinformation may be specified by a customer using the managementcomponent 422 or by providing this information directly to thedeployment component 426. The instance manager can be considered part ofthe deployment component.

Customer account information 428 can include any desired informationassociated with a customer of the multi-tenant environment. For example,the customer account information can include a unique identifier for acustomer, a customer address, billing information, licensinginformation, customization parameters for launching instances,scheduling information, auto-scaling parameters, previous IP addressesused to access the account, a listing of the MI's and CHI's accessibleto the customer, etc.

One or more server computers 430 can be reserved for executing softwarecomponents for managing the download of configuration data toconfigurable hardware 404 of the server computers 402. For example, theserver computer 430 can execute a logic repository service comprising aningestion component 432, a library management component 434, and adownload component 436. The ingestion component 432 can receive hostlogic and application logic designs or specifications and generateconfiguration data that can be used to configure the configurablehardware 404. The library management component 434 can be used to managesource code, user information, and configuration data associated withthe logic repository service. For example, the library managementcomponent 434 can be used to store configuration data generated from auser's design in a location specified by the user on thenetwork-attached storage 440. In particular, the configuration data canbe stored within a configurable hardware image 442 on thenetwork-attached storage 440. Additionally, the library managementcomponent 434 can manage the versioning and storage of input files (suchas the specifications for the application logic and the host logic) andmetadata about the logic designs and/or the users of the logicrepository service. The library management component 434 can index thegenerated configuration data by one or more properties such as a useridentifier, an instance type, a marketplace identifier, a machine imageidentifier, and a configurable hardware identifier, for example. Thedownload component 436 can be used to authenticate requests forconfiguration data and to transmit the configuration data to therequestor when the request is authenticated. For example, agents on theserver computers 402A-B can send requests to the download component 436when the instances 406 are launched that use the configurable hardware404. As another example, the agents on the server computers 402A-B cansend requests to the download component 436 when the instances 406request that the configurable hardware 404 be partially reconfiguredwhile the configurable hardware 404 is in operation.

The network-attached storage (NAS) 440 can be used to provide storagespace and access to files stored on the NAS 440. For example, the NAS440 can include one or more server computers used for processingrequests using a network file sharing protocol, such as Network FileSystem (NFS). The NAS 440 can include removable or non-removable media,including magnetic disks, storage area networks (SANs), redundant arraysof independent disks (RAID), magnetic tapes or cassettes, CD-ROMs, DVDs,or any other medium which can be used to store information in anon-transitory way and which can be accessed over the network 450.

The network 450 can be utilized to interconnect the server computers402A-402C, the server computers 420 and 430, and the storage 440. Thenetwork 450 can be a local area network (LAN) and can be connected to aWide Area Network (WAN) 460 so that end users can access the computeservice provider 400. It should be appreciated that the network topologyillustrated in FIG. 4 has been simplified and that many more networksand networking devices can be utilized to interconnect the variouscomputing systems disclosed herein.

FIG. 5 shows further details of an example system 500 includingcomponents of a control plane and a data plane for configuring andinterfacing to a configurable hardware platform 510. The control planeincludes functions for initializing, monitoring, reconfiguring, andtearing down the configurable hardware platform 510. The data planeincludes functions for communicating between a user's application andthe configurable hardware platform 510. The control plane can beaccessible by users or services having a higher privilege level and thedata plane can be accessible by users or services having a lowerprivilege level. In one embodiment, the configurable hardware platform510 is connected to a server computer 520 using a local interconnect,such as PCIe. In an alternative embodiment, the configurable hardwareplatform 510 can be integrated within the hardware of the servercomputer 520. As one example, the server computer 520 can be one of theplurality of server computers 402A-402B of the compute service provider400 of FIG. 4.

The server computer 520 has underlying hardware 522 including one ormore CPUs, memory, storage devices, interconnection hardware, etc.Running a layer above the hardware 522 is a hypervisor or kernel layer524. The hypervisor or kernel layer can be classified as a type 1 ortype 2 hypervisor. A type 1 hypervisor runs directly on the hosthardware 522 to control the hardware and to manage the guest operatingsystems. A type 2 hypervisor runs within a conventional operating systemenvironment. Thus, in a type 2 environment, the hypervisor can be adistinct layer running above the operating system and the operatingsystem interacts with the system hardware. Different types ofhypervisors include Xen-based, Hyper-V, ESXi/ESX, Linux, etc., but otherhypervisors can be used. A management partition 530 (such as Domain 0 ofthe Xen hypervisor) can be part of the hypervisor or separated therefromand generally includes device drivers needed for accessing the hardware522. User partitions 540 are logical units of isolation within thehypervisor. Each user partition 540 can be allocated its own portion ofthe hardware layer's memory, CPU allocation, storage, interconnectbandwidth, etc. Additionally, each user partition 540 can include avirtual machine and its own guest operating system. As such, each userpartition 540 is an abstract portion of capacity designed to support itsown virtual machine independent of the other partitions.

The management partition 530 can be used to perform management servicesfor the user partitions 540 and the configurable hardware platform 510.The management partition 530 can communicate with web services (such asa deployment service, a storage service 550, and a health monitoringservice) of the compute service provider, the user partitions 540, andthe configurable hardware platform 510. The management services caninclude services for launching and terminating user partitions 540, andconfiguring, reconfiguring, and tearing down the configurable logic ofthe configurable hardware platform 510. As a specific example, themanagement partition 530 can launch a new user partition 540 in responseto a request from a deployment service (such as the deployment component426 of FIG. 4). The request can include a reference to an MI and/or aCHI. The MI can specify programs and drivers to load on the userpartition 540 and the CHI can specify configuration data to load on theconfigurable hardware platform 510. The management partition 530 caninitialize the user partition 540 based on the information associatedwith the MI and can cause the configuration data associated with the CHIto be loaded onto the configurable hardware platform 510. Theinitialization of the user partition 540 and the configurable hardwareplatform 510 can occur concurrently so that the time to make theinstance operational can be reduced.

The management partition 530 can be used to manage programming andmonitoring of the configurable hardware platform 510. By using themanagement partition 530 for this purpose, access to the configurationdata and the configuration ports of the configurable hardware platform510 can be restricted. Specifically, users with lower privilege levelscan be restricted from directly accessing the management partition 530.Thus, the configurable logic cannot be modified without using theinfrastructure of the compute services provider and any third party IPused to program the configurable logic can be protected from viewing byunauthorized users.

The management partition 530 can include a software stack for thecontrol plane to configure and interface to a configurable hardwareplatform 510. The control plane software stack can include aconfigurable logic (CL) application management layer 532 forcommunicating with web services (such as the storage service 550 and ahealth monitoring service), the configurable hardware platform 510, andthe user partitions 540. For example, the CL application managementlayer 532 can issue a request to the storage service 550 to fetch signedand encrypted configuration data in response to a user partition 540being launched. In one embodiment, the storage service 550 can be alogic repository service. The CL application management layer 532 cancommunicate with the user partition 540 using shared memory of thehardware 522 or by sending and receiving inter-partition messages overthe interconnect connecting the server computer 520 to the configurablehardware platform 510. Specifically, the CL application management layer532 can read and write messages to mailbox logic 511 of the configurablehardware platform 510. The messages can include requests by an end-userapplication 541 to reconfigure or tear-down the configurable hardwareplatform 510. The CL application management layer 532 can issue arequest to the storage service 550 to fetch signed and encryptedconfiguration data in response to a request to reconfigure theconfigurable hardware platform 510. The CL application management layer532 can initiate a tear-down sequence in response to a request to teardown the configurable hardware platform 510. The CL applicationmanagement layer 532 can perform watchdog related activities todetermine whether the communication path to the user partition 540 isfunctional.

The control plane software stack can include a CL configuration layer534 for accessing the configuration port 512 (e.g., a configurationaccess port) of the configurable hardware platform 510 so thatconfiguration data can be loaded onto the configurable hardware platform510. For example, the CL configuration layer 534 can send a command orcommands to the management function 513 which can forward the commandsto the configuration port 512 to perform a full or partial configurationof the configurable hardware platform 510. The CL configuration layer534 can send the configuration data (e.g., a bitstream) to theconfiguration port 512 so that the configurable logic can be programmedaccording to the configuration data. The configuration data can specifyhost logic and/or application logic.

The configuration data can be encrypted or unencrypted when it is sentfrom the server computer 520 to the management function 513. As oneexample, the CL configuration layer 534 can include or accessfunctionality (such as the cryptography engine 535) for decrypting thesigned and encrypted configuration data and authenticating the signatureof the signed and encrypted configuration data. Thus, the CLconfiguration layer 534 can decrypt and authenticate the signed andencrypted configuration data so that the configuration data can be sentto the management function 513 unencrypted when the signature isverified to be authentic. As another example, the CL configuration layer534 can transmit the signed and encrypted configuration data to themanagement function 513, and the management function 513 can include oraccess functionality (such as the cryptography engine 517) to decryptand authenticate the signed and encrypted configuration data. If theconfiguration data is authenticated, the configuration data can beloaded onto the configurable hardware platform 510. However, if theconfiguration data is not authenticated, the configuration data will notbe loaded onto the configurable hardware platform 510.

The control plane software stack can include a management driver 536 forcommunicating over the physical interconnect connecting the servercomputer 520 to the configurable hardware platform 510. The managementdriver 536 can encapsulate commands, requests, responses, messages, anddata originating from the management partition 530 for transmission overthe physical interconnect. Additionally, the management driver 536 cande-encapsulate commands, requests, responses, messages, and data sent tothe management partition 530 over the physical interconnect.Specifically, the management driver 536 can communicate with themanagement function 513 of the configurable hardware platform 510. Forexample, the management function 513 can be a physical or virtualfunction mapped to an address range during an enumeration of devicesconnected to the physical interconnect. The management driver 536 cancommunicate with the management function 513 by addressing transactionsto the address range assigned to the management function 513.

The control plane software stack can include a CL management andmonitoring layer 538. The CL management and monitoring layer 538 canmonitor and analyze transactions occurring on the physical interconnectto determine a health of the configurable hardware platform 510 and/orto determine usage characteristics of the configurable hardware platform510. For example, the CL management and monitoring layer 538 can monitorwhether configuration data is successfully deployed on the configurablehardware platform 510 and can cause a report to be transmitted to thestorage service 550 indicating the status of the deployment.

The configurable hardware platform 510 can include non-configurable hardmacros and configurable logic. The hard macros can perform specificfunctions within the configurable hardware platform 510, such asinput/output blocks (e.g., serializer and deserializer (SERDES) blocksand gigabit transceivers), analog-to-digital converters, memory controlblocks, test access ports, and a configuration port 512. Theconfigurable logic can be programmed or configured by loadingconfiguration data onto the configurable hardware platform 510. Forexample, the configuration port 512 can be used for loading theconfiguration data. As one example, configuration data can be stored ina memory (such as a Flash memory) accessible by the configuration port512 and the configuration data can be automatically loaded during aninitialization sequence (such as during a power-on sequence) of theconfigurable hardware platform 510. Additionally, the configuration port512 can be accessed using an off-chip processor or an interface withinthe configurable hardware platform 510.

The configurable logic can be programmed to include host logic andapplication logic. The host logic can shield the interfaces of at leastsome of the hard macros from the end-users so that the end-users havelimited access to the hard macros and to the physical interconnect. Forexample, the host logic can include the mailbox logic 511, theconfiguration port 512, the management function 513, the host interface514, and the application function 515. The end-users can cause theconfigurable application logic 516 to be loaded on the configurablehardware platform 510, and can communicate with the configurableapplication logic 516 from the user partitions 540 (via the applicationfunction 515).

The host interface logic 514 can include circuitry (e.g., hard macrosand/or configurable logic) for signaling on the physical interconnectand implementing a communications protocol. The communications protocolspecifies the rules and message formats for communicating over theinterconnect. The application function 515 can be used to communicatewith drivers of the user partitions 540. Specifically, the applicationfunction 515 can be a physical or virtual function mapped to an addressrange during an enumeration of devices connected to the physicalinterconnect. The application drivers can communicate with theapplication function 515 by addressing transactions to the address rangeassigned to the application function 515. Specifically, the applicationfunction 515 can communicate with an application logic management driver542 to exchange commands, requests, responses, messages, and data overthe control plane. The application function 515 can communicate with anapplication logic data plane driver 543 to exchange commands, requests,responses, messages, and data over the data plane.

The mailbox logic 511 can include one or more buffers and one or morecontrol registers. For example, a given control register can beassociated with a particular buffer and the register can be used as asemaphore to synchronize between the management partition 530 and theuser partition 540. As a specific example, if a partition can modify avalue of the control register, the partition can write to the buffer.The buffer and the control register can be accessible from both themanagement function 513 and the application function 515. When themessage is written to the buffer, another control register (e.g., themessage ready register) can be written to indicate the message iscomplete. The message ready register can polled by the partitions todetermine if a message is present, or an interrupt can be generated andtransmitted to the partitions in response to the message ready registerbeing written.

The user partition 540 can include a software stack for interfacing anend-user application 540 to the configurable hardware platform 510. Theapplication software stack can include functions for communicating withthe control plane and the data plane. Specifically, the applicationsoftware stack can include a CL-Application API 544 for providing theend-user application 540 with access to the configurable hardwareplatform 510. In one embodiment, the application software stack caninclude tools for programming the configurable hardware platform 510.The CL-Application API 544 can include a library of methods or functionsfor communicating with the configurable hardware platform 510 and themanagement partition 530. For example, the end-user application 541 cansend a command or data to the configurable application logic 516 byusing an API of the CL-Application API 544. In particular, the API ofthe CL-Application API 544 can interface with the application logic (AL)data plane driver 543 which can generate a transaction targeted to theapplication function 515 which can communicate with the configurableapplication logic 516. In this manner, the end-user application 541 cancause the configurable application logic 516 receive, process, and/orrespond with data to potentially accelerate tasks of the end-userapplication 541. As another example, the end-user application 541 cansend a command or data to the management partition 530 by using an APIof the CL-Application API 544. In particular, the API of theCL-Application API 544 can interface with the AL management driver 542which can generate a transaction targeted to the application function515 which can communicate with the mailbox logic 511. In this manner,the end-user application 541 can cause the management partition 530 toprovide operational or metadata about the configurable hardware platform510 and/or to request that the configurable application logic 516 bereconfigured.

The application software stack in conjunction with the hypervisor orkernel 524 can be used to limit the operations available to perform overthe physical interconnect by the end-user application 541. For example,the compute services provider can provide the AL management driver 542,the AL data plane driver 543, and the CL-Application API 544 (such as byassociating the files with a machine image). These components can beprotected from modification by only permitting users and services havinga higher privilege level than the end-user to write to the files. The ALmanagement driver 542 and the AL data plane driver 543 can be restrictedto using only addresses within the address range of the applicationfunction 515. Additionally, an input/output memory management unit (I/OMMU) can restrict interconnect transactions to be within the addressranges of the application function 515 or the management function 513.

In one embodiment, the application software stack can be used inconjunction with the control plane software stack and/or the host logicto configure the configurable hardware platform 510. As one example, theend-user application 541 can fetch the signed and encryptedconfiguration data from the storage service 550. The signed andencrypted configuration data can be communicated to the control planesoftware stack which can decrypt and verify the configuration databefore programming the configurable hardware platform 510. Inparticular, the signed and encrypted configuration data can becommunicated from the application software stack to the control planesoftware stack using the mailbox logic 511 or a shared memory region ofthe hardware 522. The control plane software stack and/or the host logiccan be used to decrypt and verify the configuration data, and theconfigurable hardware platform 510 can be programmed when the signatureis authenticated. As another example, the end-user application 541 canfetch the signed and encrypted configuration data from the storageservice 550. The signed and encrypted configuration data can becommunicated to the host logic which can decrypt and verify theconfiguration data before programming the configurable hardware platform510. In particular, the signed and encrypted configuration data can becommunicated to the application function 515 which can forward the datato a cryptographic engine 517 of the host logic. The cryptographicengine 517 can be used to decrypt and verify the configuration data andto initiate the programming sequence of the configuration port 512. Byperforming the decryption and authentication on host logic hardware, theconfidentiality of the configuration data may be more secure thanperforming the decryption and authentication in software and thentransferring the unencrypted data to the configurable hardware platform510.

FIG. 6 is a flow diagram of an example method 600 for managing and usingconfiguration data that can be used to configure or program configurablehardware in, for example, a multi-tenant environment. As one example,the method 600 can be implemented using a logic repository service, suchas described with reference to FIGS. 1-3.

At 610, a request can be received to generate configuration data forconfigurable hardware using a specification for application logic of theconfigurable hardware. The specification for the application logic caninclude source code (e.g., HDL or RTL source code), a netlist, and/orconfiguration data corresponding to the application logic. The requestcan specify an instance type associated with the configuration data. Therequest can include an access list indicating users that can access theconfiguration data. The request can include a version of host logic touse with the application logic.

At 620, the configuration data can be generated for the configurablehardware. Generating the configuration data can include verifying theapplication logic complies with one or more criteria of the computeservices provider, integrating the application logic into a host logicwrapper, synthesizing the application logic, and/or placing and routingthe application logic. The configuration data can include data forimplementing the application logic and/or host logic on the configurablehardware. The configuration data can include data for implementingmultiple components at one or more times during the operation of theconfigurable hardware. For example, the configuration data can include astatic logic component (to be loaded during an initialization sequenceof the configurable hardware) and one or more reconfigurable components(to be loaded after the initialization sequence of the configurablehardware). The different reconfigurable components can be associatedwith overlapping or non-overlapping regions of the configurablehardware. The configuration data can include a host logic componentand/or an application logic component. The configuration data can begenerated in one or more formats. As one example, the configuration datacan be a full or partial bitstream. Information associated with theconfiguration data can also be generated. For example, log files,implementation reports, and timing reports can be generated with theconfiguration data. The implementation and timing reports can be used bya developer or design system to modify, resynthesize, orre-place-and-route the design for the configurable hardware.

At 630, the configuration data can be encrypted to generate encryptedconfiguration data. By encrypting the configuration data, theconfiguration data cannot be readily viewed, copied, orreverse-engineered. The configuration data can be encrypted using asymmetric and/or asymmetric cryptographic algorithm. A symmetriccryptographic algorithm uses the same key to both encrypt and decryptthe data. An asymmetric cryptographic algorithm uses a public key toencrypt the data and a private key to decrypt the data. Asymmetriccryptographic algorithms may be more computationally expensive thansymmetric cryptographic algorithms. To reduce the computationalrequirements for encrypting and decrypting the configuration data, theconfiguration data can be encrypted with a symmetric cryptographicalgorithm using a single-use key, and the single-use symmetric key canbe encrypted with an asymmetric cryptographic algorithm using a publickey. The encrypted single-use symmetric key can be appended to theencrypted configuration data. As another example, the configuration datafor all users of a compute services provider can be encrypted with thesame key so that decryption can be performed with a single key. Asanother example, the configuration data for each user or group of userscan be encrypted with different respective keys so that if one key iscompromised, designs encrypted with different keys can remainconfidential.

At 640, the encrypted configuration data can be signed using a privatekey to generate signed encrypted configuration data. By digitallysigning the encrypted configuration data, the authenticity and integrityof the configuration data can be verified. Signing the encryptedconfiguration data can include appending or attaching a digitalsignature to the encrypted configuration data. The digital signature caninclude an encrypted digest. The digest can be a number that isrepresented with a predefined number of bits. Specifically, the digestcan be generated by applying a cryptographic hash function to theencrypted configuration data. The digest can be encrypted using anasymmetric cryptographic algorithm and a private key. The private key toencrypt the digest can be the same or different than a private key todecrypt the encrypted configuration data. The digital signature caninclude additional information such as a public key for decrypting theencrypted digest and information about the cryptographic hash functionused to create the digest. In an alternative embodiment, theconfiguration data can be signed before it is encrypted.

At 650, the signed encrypted configuration data can be transmitted. Asone example, the signed encrypted configuration data can be transmittedin response to the request (610) to generate configuration data. Asanother example, the signed encrypted configuration data can betransmitted to a storage service of the compute services provider. Asanother example, the signed encrypted configuration data can betransmitted in response to a software instance being launched within amulti-tenant environment. In particular, the software instance can bebased on a machine image that references a template volume for themachine image. The template volume can include the signed encryptedconfiguration data, and the signed encrypted configuration data can beloaded as part of the launch sequence for the software instance. Asanother example, the signed encrypted configuration data can betransmitted in response to a software instance requesting the signedencrypted configuration data from a storage service or a logicrepository service.

At 660, the signed encrypted configuration data can be received. Forexample, the signed encrypted configuration data can be received at ahost server computer within a multi-tenant environment. The host servercomputer can be executing a hypervisor and one or more virtual machinesrunning as guests on the hypervisor. For example, one of the virtualmachines can include a management kernel and another of the virtualmachines can include an end-user application and a management driver forinterfacing with the configurable hardware and/or the management kernel.The signed encrypted configuration data can be received at either themanagement kernel or the end-user application.

At 670, the signature of the signed encrypted configuration data can beverified using a public key. As one example, the signed encryptedconfiguration data can include a signature having an encrypted digest, apublic key for decrypting the encrypted digest, and information aboutthe cryptographic hash function used to create the digest. The receiverof the signed encrypted configuration data can decrypt the encrypteddigest using the public key in the signature. The receiver of the signedencrypted configuration data can create a generated digest using theinformation about the cryptographic hash function and the signedencrypted configuration data. Alternatively, the cryptographic hashfunction can be predefined, and the receiver of the signed encryptedconfiguration data can create a generated digest using only the signedencrypted configuration data. The generated digest can be compared tothe decrypted digest, and if they match, the signature can be validated.If the generated digest and the decrypted digest do not match, thesignature verification fails and the configuration data can be preventedfrom being loaded onto the configurable hardware.

At 680, the encrypted configuration data can be decrypted and theconfigurable hardware can be programmed with the configuration data. Ifthe encrypted configuration data was encrypted using a symmetriccryptographic algorithm, the encrypted configuration data can bedecrypted using the same key that was used to encrypt it. If theencrypted configuration data was encrypted using an asymmetriccryptographic algorithm, the encrypted configuration data can bedecrypted using a private key that is paired with the public key thatwas used to encrypt the data. As described above, both symmetric andasymmetric encryption can be used to encrypt the configuration data andso decryption can involve multiple phases using different keys andalgorithms. The decrypted configuration data can be loaded onto theconfigurable hardware so that the configurable hardware will beconfigured with the host logic and the application logic.

Each of 670 and 680 can be performed by the same components or differentcomponents. For example, a host server computer can be executing ahypervisor and one or more virtual machines running as guests on thehypervisor. One of the virtual machines can include a management kerneland another of the virtual machines can include an end-user applicationand a management driver for interfacing with the configurable hardwareand/or the management kernel. The host server computer can be incommunication with the configurable hardware. As one example, themanagement kernel can both verify the signature and decrypt theencrypted configuration data so that the configuration data can becommunicated unencrypted to the configurable hardware. As anotherexample, the management kernel can verify the signature and communicatethe encrypted configuration data to the configurable hardware so thatthe host logic of the configurable hardware can decrypt the encryptedconfiguration data. As another example, the end-user application caninitiate loading of the configuration data by accessing an API of themanagement driver. The signature of the signed encrypted configurationdata can be verified by the management driver and the encryptedconfiguration data can be decrypted by the management driver, themanagement kernel, or the host logic of the configurable hardware. Asanother example, the signed encrypted configuration data can becommunicated to the configurable hardware and the host logic can bothverify the signature and decrypt the encrypted configuration data. Insum, the signature verification and the decrypting of the configurationdata can be performed by software, hardware, or a combination thereof.

FIG. 7 is a flow diagram of an example method 700 of managing and usingconfiguration data that can be used to configure or program configurablehardware in, for example, a multi-tenant environment. For example, themethod 700 can be implemented by a logic repository service, such asdescribed above in reference to FIGS. 1-3.

At 710, a first specification for application logic of the configurablehardware can be ingested. Additionally, a second specification for hostlogic of the configurable hardware can be ingested. The first and secondspecifications can be used to generate the configuration data for theconfigurable hardware. For example, the specifications can include HDLor RTL source code, a netlist, and/or a partial bitstream for the hostlogic and the application logic. When the specification includes sourcecode, the source code can be synthesized to generate a netlist. Anetlist can be placed and routed to generate configuration data. Theconfiguration data can be formatted in a variety of formats, such as abitstream that identifies programming or settings for individualcomponents of the configurable hardware. The configuration data can beseparated into different components, such as a component havingconfiguration data for the static logic and one or more componentshaving configuration data for the reconfigurable static logic.

At 720, the configuration data can be encrypted to generate encryptedconfiguration data. The configuration data can be encrypted using asymmetric cryptographic algorithm, an asymmetric cryptographicalgorithm, or combinations thereof. As a specific example, theconfiguration data can be encrypted with a symmetric cryptographicalgorithm using a first key, and the first key can be encrypted with anasymmetric cryptographic algorithm using a second key. The encryptedfirst key can be appended to the encrypted configuration data. Thedifferent components of the configuration data can be separatelyencrypted using the same or different keys.

At 730, the encrypted configuration data can be signed to generatesigned encrypted configuration data. Signing the encrypted configurationdata can include appending or attaching a digital signature to theencrypted configuration data. The digital signature can include anencrypted digest, where the digest can be generated by applying acryptographic hash function to the encrypted configuration data. Thedigest can be encrypted using an asymmetric cryptographic algorithm anda private key that is part of a public-private key pair. The differentcomponents of the configuration data can be separately signed so thatthe different components can be independently stored and retrieved.

At 740, the signed encrypted configuration data can be stored in adatabase. For example, the signed encrypted configuration data can bestored in a logic repository database, such as the logic repositorydatabase 150. The signed encrypted configuration data can be stored inassociation with a machine image, a user, a configurable hardware image,a product code, or any other information that can be used to retrievethe information data. The signed encrypted configuration data can bestored in association with the first and second specifications, and/orwith a suite of verification tests. The signed encrypted configurationdata can be stored in association with an access list so that the signedencrypted configuration data can be accessed by developers and/orend-users of the configuration data.

At 750, the signed encrypted configuration data can be retrieved fromthe database. For example, the signed encrypted configuration data canbe retrieved when deploying a new instance within the compute resourcesprovided by the compute service provider. As another example, the signedencrypted configuration data can be retrieved in response to a userapplication requesting the configuration data to be downloaded duringexecution of the application. As another example, the signed encryptedconfiguration data can be retrieved in response to a developer or thecompute services provider updating, viewing, or testing theconfiguration data. As another example, the signed encryptedconfiguration data can be retrieved in response to a developer creatinga template volume for a machine image, where the template volumeincludes the configuration data.

At 760, the configurable hardware can be programmed based on the signedencrypted configuration data. For example, the signature of the signedencrypted configuration data can be verified, the encryptedconfiguration data can be decrypted, and the unencrypted configurationdata can be used to program the configurable hardware. Once configured,the configurable hardware can include the functions specified by thehost logic design and the application logic design.

FIG. 8 depicts a generalized example of a suitable computing environment800 in which the described innovations may be implemented. The computingenvironment 800 is not intended to suggest any limitation as to scope ofuse or functionality, as the innovations may be implemented in diversegeneral-purpose or special-purpose computing systems. For example, thecomputing environment 800 can be any of a variety of computing devices(e.g., desktop computer, laptop computer, server computer, tabletcomputer, etc.)

With reference to FIG. 8, the computing environment 800 includes one ormore processing units 810, 815 and memory 820, 825. In FIG. 8, thisbasic configuration 830 is included within a dashed line. The processingunits 810, 815 execute computer-executable instructions. A processingunit can be a general-purpose central processing unit (CPU), processorin an application-specific integrated circuit (ASIC) or any other typeof processor. In a multi-processing system, multiple processing unitsexecute computer-executable instructions to increase processing power.For example, FIG. 8 shows a central processing unit 810 as well as agraphics processing unit or co-processing unit 815. The tangible memory820, 825 may be volatile memory (e.g., registers, cache, RAM),non-volatile memory (e.g., ROM, EEPROM, flash memory, etc.), or somecombination of the two, accessible by the processing unit(s). The memory820, 825 stores software 880 implementing one or more innovationsdescribed herein, in the form of computer-executable instructionssuitable for execution by the processing unit(s).

A computing system may have additional features. For example, thecomputing environment 800 includes storage 840, one or more inputdevices 850, one or more output devices 860, and one or morecommunication connections 870. An interconnection mechanism (not shown)such as a bus, controller, or network interconnects the components ofthe computing environment 800. Typically, operating system software (notshown) provides an operating environment for other software executing inthe computing environment 800, and coordinates activities of thecomponents of the computing environment 800.

The tangible storage 840 may be removable or non-removable, and includesmagnetic disks, magnetic tapes or cassettes, CD-ROMs, DVDs, or any othermedium which can be used to store information in a non-transitory wayand which can be accessed within the computing environment 800. Thestorage 840 stores instructions for the software 880 implementing one ormore innovations described herein.

The input device(s) 850 may be a touch input device such as a keyboard,mouse, pen, or trackball, a voice input device, a scanning device, oranother device that provides input to the computing environment 800. Theoutput device(s) 860 may be a display, printer, speaker, CD-writer, oranother device that provides output from the computing environment 800.

The communication connection(s) 870 enable communication over acommunication medium to another computing entity. The communicationmedium conveys information such as computer-executable instructions,audio or video input or output, or other data in a modulated datasignal. A modulated data signal is a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationmedia can use an electrical, optical, RF, or other carrier.

Although the operations of some of the disclosed methods are describedin a particular, sequential order for convenient presentation, it shouldbe understood that this manner of description encompasses rearrangement,unless a particular ordering is required by specific language set forthbelow. For example, operations described sequentially may in some casesbe rearranged or performed concurrently. Moreover, for the sake ofsimplicity, the attached figures may not show the various ways in whichthe disclosed methods can be used in conjunction with other methods.

Any of the disclosed methods can be implemented as computer-executableinstructions stored on one or more computer-readable storage media(e.g., one or more optical media discs, volatile memory components (suchas DRAM or SRAM), or non-volatile memory components (such as flashmemory or hard drives)) and executed on a computer (e.g., anycommercially available computer, including smart phones or other mobiledevices that include computing hardware). The term computer-readablestorage media does not include communication connections, such assignals and carrier waves. Any of the computer-executable instructionsfor implementing the disclosed techniques as well as any data createdand used during implementation of the disclosed embodiments can bestored on one or more computer-readable storage media. Thecomputer-executable instructions can be part of, for example, adedicated software application or a software application that isaccessed or downloaded via a web browser or other software application(such as a remote computing application). Such software can be executed,for example, on a single local computer (e.g., any suitable commerciallyavailable computer) or in a network environment (e.g., via the Internet,a wide-area network, a local-area network, a client-server network (suchas a cloud computing network), or other such network) using one or morenetwork computers.

For clarity, only certain selected aspects of the software-basedimplementations are described. Other details that are well known in theart are omitted. For example, it should be understood that the disclosedtechnology is not limited to any specific computer language or program.For instance, the disclosed technology can be implemented by softwarewritten in C++, Java, Perl, JavaScript, Adobe Flash, or any othersuitable programming language. Likewise, the disclosed technology is notlimited to any particular computer or type of hardware. Certain detailsof suitable computers and hardware are well known and need not be setforth in detail in this disclosure.

It should also be well understood that any functionality describedherein can be performed, at least in part, by one or more hardware logiccomponents, instead of software. For example, and without limitation,illustrative types of hardware logic components that can be used includeField-programmable Gate Arrays (FPGAs), Application-specific IntegratedCircuits (ASICs), Application-specific Standard Products (ASSPs),System-on-a-chip systems (SOCs), Complex Programmable Logic Devices(CPLDs), etc.

Furthermore, any of the software-based embodiments (comprising, forexample, computer-executable instructions for causing a computer toperform any of the disclosed methods) can be uploaded, downloaded, orremotely accessed through a suitable communication means. Such suitablecommunication means include, for example, the Internet, the World WideWeb, an intranet, software applications, cable (including fiber opticcable), magnetic communications, electromagnetic communications(including RF, microwave, and infrared communications), electroniccommunications, or other such communication means.

The disclosed methods, apparatus, and systems should not be construed aslimiting in any way. Instead, the present disclosure is directed towardall novel and nonobvious features and aspects of the various disclosedembodiments, alone and in various combinations and subcombinations withone another. The disclosed methods, apparatus, and systems are notlimited to any specific aspect or feature or combination thereof, nor dothe disclosed embodiments require that any one or more specificadvantages be present or problems be solved.

In view of the many possible embodiments to which the principles of thedisclosed invention may be applied, it should be recognized that theillustrated embodiments are only preferred examples of the invention andshould not be taken as limiting the scope of the invention. Rather, thescope of the invention is defined by the following claims. We thereforeclaim as our invention all that comes within the scope of these claims.

What is claimed is:
 1. A method, comprising: receiving a request in afirst server computer to generate configuration data for a hardwaredesign configured to be programmed into a field-programmable gate array(FPGA) in a second server computer in a compute service provider;generating the configuration data by integrating host logic associatedwith the compute service provider into the hardware design, wherein thehost logic protects the second server computer by controllinginteractions between the hardware design and the second server computer;encrypting the configuration data and storing the encryptedconfiguration data in a database; receiving a request to launch avirtual machine instance in the compute service provider, wherein therequest includes a request to use the hardware design; retrieving theencrypted configuration data from the database in response to therequest to launch the virtual machine instance; and transmitting theencrypted configuration data to the second server computer to configurethe FPGA and launching the virtual machine instance on the second servercomputer.
 2. The method of claim 1, wherein the request to generate theconfiguration data includes fields for specifying metadata about thehardware design, user information and access privileges for the hardwaredesign.
 3. The method of claim 1, further comprising verifying, on thesecond server computer, a signature of the encrypted bitstream using apublic key.
 4. The method of claim 1, wherein generating theconfiguration data comprises synthesizing the hardware design togenerate a netlist compatible with the FPGA.
 5. The method of claim 1,wherein the request to launch the virtual machine instance includes arequest for a particular central processing unit (CPU) to be executingin the second server computer and in communication with the FPGA.
 6. Themethod of claim 5, wherein the interactions controlled by the host logicinclude bus transactions between the hardware design programmed into theFPGA and the CPU.
 7. The method of claim 1, wherein the second servercomputer includes a cryptographic engine to authenticate and decrypt theencrypted configuration data.
 8. The method of claim 1, wherein thegenerating of the configuration data includes executing verificationtests to determine that the hardware design fits into the FPGA on thesecond server computer and is compatible with the host logic.
 9. Themethod of claim 1, wherein the generating of the configuration dataincludes analyzing whether the hardware design includes prohibited logicfunctions.
 10. The method of claim 1, wherein the integrating the hostlogic into the hardware design includes integrating the hardware designinto a host logic wrapper.
 11. A method, comprising: receiving a requestto generate configuration data using a specification for hardware logicdesigned to be used in a programmable gate array; generating theconfiguration data adapted for the programmable gate array, theconfiguration data including host logic and the hardware logicintegrated together; encrypting the configuration data to generateencrypted configuration data; signing the encrypted configuration datausing a private key; storing the signed, encrypted configuration data ina database; receiving a request to launch a virtual machine instance inassociation with the hardware logic; retrieving the signed encryptedconfiguration data from the database in response to the request tolaunch the virtual machine instance and transmitting the signedencrypted configuration data to a server computer designated to launchthe virtual machine instance; and decrypting the signed encryptedconfiguration data in the server computer and programming theprogrammable gate array using the configuration data.
 12. The method ofclaim 11, further including launching the virtual machine instance andassociating the hardware logic in the programmable gate array with thevirtual machine instance.
 13. The method of claim 11, wherein thegenerating of the configuration data is on a first server computer andthe server computer designated to launch the virtual machine instance isa second server computer different than the first server computer. 14.The method of claim 13, wherein the generating of the configuration dataincludes executing verification tests to determine that the hardwarelogic fits into the programmable gate array on the second servercomputer and is compatible with the host logic.
 15. The method of claim11, wherein the generating of the configuration data includes analyzingwhether the hardware logic includes prohibited logic functions on theserver computer.
 16. The method of claim 11, further includingintegrating the host logic into the hardware logic by integrating thehardware logic into a host logic wrapper.
 17. A system, comprising: afirst processor on a first server computer configured to receive arequest to generate configuration data using a specification forhardware logic designed to be used in a programmable gate array of asecond server computer; the processor configured to generate theconfiguration data by integrating the hardware logic into a host logicwrapper and encrypt the configuration data; a database coupled to thefirst processor for storing the encrypted configuration data; and asecond processor on a second server computer configured to request theencrypted configuration data from the first server computer in responseto a request to launch a virtual machine instance on the second servercomputer and program the programmable gate array with the configurationdata.
 18. The system of claim 17, wherein the second processor isconfigured to decrypt the encrypted configuration data using a cryptoengine.
 19. The system of claim 17, wherein the host logic wrapperprevents the hardware logic from controlling bus transactions betweenthe hardware logic and the second server computer.
 20. The system ofclaim 17, wherein the programmable gate array is a Field ProgrammableGate Array (FPGA).